SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XV - Issue #100

December 20, 2013

A heads up on the emerging security metric for 2014: Three stories this week describing important attacks are emblematic of a huge number of attacks that successfully penetrated cyber defenses this year - especially at U.S. government agencies but wherever a slavish adherence to paper-based compliance (NIST/FISMA, HIPAA, GLB) consumes the budget and exacerbates the problem rather than solving it. NSA has published its top 10 controls known to stop most attacks; they match Australia's Top 4 that have been proven to be the most important in stopping most attacks; and both fit perfectly as the starting points for implementing the Council on CyberSecurity's 20 Critical Controls. By February at the RSA conference, new free tools from two leading vendors will be available that allow organizations to benchmark their actual implementation of the Top 4. Top 4 implementation completeness will be an inexpensive, reliable metric of effectiveness of cyber defenses. Corporate CEOs and boards, and senior government officials at the federal, state and local level will be asking their CIOs to measure the effectiveness of their CISOs. Proof that the Top 4 are the first things CISOs should be able to demonstrate they have done is available from the Center for Strategic and International Studies: http://csis.org/publication/raising-bar-cybersecurity

Alan

---

TOP OF THE NEWS

Target Acknowledges Massive Data Breach
Intruders Gain Access to Washington Post Servers
US Federal Election Commission Computers Infiltrated During Government Shutdown

THE REST OF THE WEEK'S NEWS

Verizon to Issue Transparency Report
Google's Transparency Report Shows Sharp Increase in Takedown and Data Requests
Researchers Steal Encryption Keys by Listening to Computer's Sounds
Some Older Webcams Activation Indicator Lights Can be Disabled
DDoS Attack Apparent Retaliation for Chinese Bank's Restrictive Bitcoin Policy
Two Sentenced in DDoS Extortion Attempt Against Online Casino
Harvard University Student Charged in Bomb Threat Tries to Hide Identity With Tor
Steep Fine for Swedish Filesharer
Report Proposes Vulnerability Purchase Plan

PESCATORE'S FIRST LOOK: DATACARD ACQUIRES ENTRUST

PESCATORE'S FIRST LOOK: Datacard Acquires Entrust

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************** Sponsored By Bit9 ****************************
In this unprecedented time of cyber attacks, information about attacker methods is difficult to obtain unless you are the victim, and that is too late. This whitepaper details lessons learned from extensive interviews with security analysts and experts in the field. Learn more http://www.sans.org/info/146650
***************************************************************************
TRAINING UPDATE


- --SANS Security East 2014 New Orleans, LA January 20-25, 2014 10 courses. Bonus evening presentations include Legends: The Reality Behind the Security Fairytales We All Hear; and 10 Things Security Teams Need to Know About Cloud Security.
http://www.sans.org/event/security-east-2014


- --SANS Scottsdale 2014 Scottsdale, AZ February 17-22, 2014 6 courses. Bonus evening presentations include Offensive Digital Forensics; and Cloud IR and Forensics.
http://www.sans.org/event/sans-scottsdale-2014


- --SANS Cyber Guardian 2014 Baltimore, MD March 3-8, 2014 7 courses. Bonus evening presentations include Continuous Ownage: Why You Need Continuous Monitoring; Code Injection; and How the West was Pwned.
http://www.sans.org/event/cyber-guardian-2014


- --SANS Brussels 2014 Brussels, Belgium February 17-22, 2014 4 courses.
http://www.sans.org/event/belgium-2014


- --SANS Secure Singapore 2014 Singapore, Singapore March 10-26, 2014 7 courses. Bonus evening presentations includes Incident Response and Forensics in the Cloud.
http://www.sans.org/event/singapore-2014


- --Multi-week Live SANS training
http://www.sans.org/mentor/about
Contact mentor@sans.org


- - --Looking for training in your own community?
http://www.sans.org/community/


- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus San Antonio, Dubai, Tokyo, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: http://www.sans.org

*****************************************************************************

---

TOP OF THE NEWS

Target Acknowledges Massive Data Breach (December 18 & 19, 2013)

Target has acknowledged that attackers gained access to payment card information, including card numbers, expiration dates, and security codes, of cards used at stores between November 27 and December 15. The breach does not appear to have affected customers who shopped online. In all, the breach is believed to have compromised more than 40 million accounts. A third-party forensics firm is helping with Target's investigation of the incident. The US Secret Service is investigating as well.
-http://krebsonsecurity.com/2013/12/sources-target-investigating-data-breach/
-http://www.wired.com/threatlevel/2013/12/target-hack-hits-40-million/
-http://www.computerworld.com/s/article/9244900/Breach_could_prove_very_costly_fo
r_Target?taxonomyId=17
-http://arstechnica.com/security/2013/12/secret-service-investigating-alleged-cre
dit-card-breach-at-target/
-http://www.zdnet.com/target-reportedly-victim-of-security-breach-since-black-fri
day-7000024476/
[Editor's Note (Honan): The PCI council is saying that Target was not compliant with PCI DSS at the time of the breach. ]

Intruders Gain Access to Washington Post Servers (December 18, 2013)

Servers at The Washington Post have been infiltrated again; the paper suspects the attack came from China. Mandiant, a cybersecurity contractor that monitors the Post's network, detected the attack. The attack began by gaining access to a server used by the paper's foreign staff and then spread to other servers. The attackers were able to access employee usernames and passwords. The Post's network, along with those of The New York Times, The Wall Street Journal, and several Washington, DC organizations, were also infiltrated in 2011
-http://www.darkreading.com/attacks-breaches/washington-post-servers-infiltrated-
empl/240164882
-http://www.computerworld.com/s/article/9244887/_i_Washington_Post_i_servers_atta
cked_paper_suspects_Chinese_hackers?taxonomyId=17
-http://www.washingtonpost.com/business/technology/hackers-break-into-washington-
post-servers/2013/12/18/dff8c362-682c-11e3-8b5b-a77187b716a3_story.html

US Federal Election Commission Computers Infiltrated During Government Shutdown (December 17, 2013)

The computer system at the US Federal Election Commission (FEC) was infiltrated during the October 2013 government shutdown. The attacks appear to have come from China. They crashed systems, and because virtually all FEC employees were deemed non-essential, there was no one present to deal with the attacks right away.
-http://thehill.com/blogs/blog-briefing-room/news/193332-report-fec-system-hacked
-during-shutdown
-http://www.theatlantic.com/politics/archive/2013/12/another-massive-problem-with
-us-democracy-the-fec-is-broken/282404/
[Editor's Note (Honan): With the holiday season rapidly approaching many companies will have essential staff unavailable over the holiday period. You should review your own systems, risk profile, and controls to ensure that your company does not suffer the same fate as the US Federal Election Commission.
(Northcutt): Not surprising, people have been "testing doorknobs and rattling windows for some time":
-http://talkingpointsmemo.com/livewire/someone-tried-to-hack-the-federal-election
-commission-website
-http://blogs.rollcall.com/moneyline/hacking-attempts-on-federal-election-commisi
son-website/]

---

************************** Sponsored Links: ******************************
1) "Blurring Boundaries - Trend Micro CTO Raimund Genes shares his 2014 security predictions". http://www.sans.org/info/146655

2) Complimentary eBook: "NetFlow Security Monitoring for Dummies". Download now. http://www.sans.org/info/146660

3) Using Oracle Audit Vault and Database Firewall for Data Protection. Tuesday, January 14 at 1:00 PM EST. http://www.sans.org/info/146665
*****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Verizon to Issue Transparency Report (December 19, 2013)

Starting in 2014, Verizon will publish semi-annual transparency reports about government requests for information. Verizon will be the first US telecommunications company to publish a transparency report, which are already published by technology companies such as Google, Microsoft, and Facebook. Verizon was named in the first of the NSA documents leaked earlier this year, which revealed that the intelligence agency had been gathering large swaths of information from the company.
-http://www.washingtonpost.com/business/technology/verizon-to-publish-reports-on-
surveillance-requests-wants-to-detail-nsa-efforts/2013/12/19/d9b38a06-68e4-11e3-
a0b9-249bbb34602c_story.html
-http://www.zdnet.com/despite-silence-on-nsa-co-operation-verizon-plans-to-issue-
transparency-report-7000024525/
[Editor's Note (Murray): Whatever a service provider's motive for compromising their customers, the least that they owe us is to tell us about it. ]

Google's Transparency Report Shows Sharp Increase in Takedown and Data Requests (December 19, 2013)

Google's most recent transparency report shows that the number of government takedown requests is increasing steadily. In the first half of 2013, Google received more than 3,800 requests from governments around the world to remove content they deemed defamatory, pornographic, or even just embarrassing. Google's report indicates that it complied with fewer than half of the requests. According to the report, the number of government requests for user data is also increasing rapidly. The US government submitted more than 10,000 requests for information about 21,683 Google users. The data do not include requests for data made under Foreign Intelligence Surveillance Act programs.
-http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/19/government-take-dow
n-requests-to-google-hits-a-new-record-company-says/
-http://news.cnet.com/8301-1009_3-57616109-83/google-government-takedown-requests
-on-the-rise/

Researchers Steal Encryption Keys by Listening to Computer's Sounds (December 19, 2013)

Researchers have demonstrated that it is possible to steal RSA decryption keys simply by listening to the sounds a computer makes while running decrypt routines. The technique has limitations. It would be necessary to send thousands of encrypted messages to a system that opens the messages automatically. Also, the targeted key could not be password protected.
-http://arstechnica.com/security/2013/12/new-attack-steals-e-mail-decryption-keys
-by-capturing-computer-sounds/
-http://www.theregister.co.uk/2013/12/19/acoustic_cryptanalysis/
-http://www.nbcnews.com/technology/sound-secrets-new-hacking-technique-infiltrate
s-hearing-or-touch-2D11777733
Research Paper:
-http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf
[Editor's Note (Assante): If keys did not have to be stored and managed or encryption/decryption processed then life would be too easy. We like to be fooled by the power of a technical security solution to whisk away a particular security risk on paper. Security is always about the context and environment in which a threat will present itself. You need to constantly remind yourself about the scenarios you are addressing and consider the others that may require different controls. The researchers present several interesting cases that demonstrate how the security posture for data residing on an encrypted machine changes as the device moves to locations where one does not control the ability of things or people to interact with the machine. Context and environment matters!
(Murray): Any phenomenon that is a function of the key that is observable from outside the crypto engine leaks information about the key. Implementers should be careful to mask or hide such phenomenon. That said, crypto is so much stronger than we need for it to be, it takes a lot of leakage to impact security. ]

Some Older Webcams Activation Indicator Lights Can be Disabled (December 18 & 19, 2013)

Researchers at Johns Hopkins University have found that it is possible to disable activation indicator lights by modifying the firmware on some webcams on older Mac computers. The issue affects iSight webcams in Macs and MacBooks released prior to 2008.
-http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/18/research-shows-how-
macbook-webcams-can-spy-on-their-users-without-warning/
-http://www.computerworld.com/s/article/9244899/Older_Mac_webcams_can_spy_without
_activating_warning_light?taxonomyId=17
-http://news.cnet.com/8301-1009_3-57616067-83/beware-macbook-webcams-can-be-used-
to-covertly-spy-on-people/
-http://arstechnica.com/security/2013/12/perv-utopia-light-on-macbook-webcams-can
-be-bypassed/
[Editor's Note (Honan): A simpler and more effective preventative measure is to cover the camera lens on your PC with some tape. ]

DDoS Attack Apparent Retaliation for Chinese Bank's Restrictive Bitcoin Policy (December 19, 2013)

China's central bank found its website under attack, most likely because of its tough stance on Bitcoins. Earlier this week, the People's Bank of China instructed payment providers to stop providing clearing services to Bitcoin exchanges. Earlier this month, the financial institution ordered banks within the country not to conduct Bitcoin transactions. The edicts issued by the bank appear to have sent Bitcoin values into a nosedive.
-http://www.bbc.co.uk/news/technology-25447073
-http://www.theregister.co.uk/2013/12/19/bitcoin_ddos_pbos_china_bank/

Two Sentenced in DDoS Extortion Attempt Against Online Casino (December 18 & 19, 2013)

A UK Crown Court sentenced two men to 64 months in prison each for attempted extortion of an online casino. Piotr Smirnow and Patryk Surmacki, both of Poland, threatened to launch distributed denial-of-service attacks against the site. When their demands were not met, an attack lasting several hours was launched against the site in August 2013. The men were lured to a hotel near London's Heathrow Airport by a proposed meeting to discuss a way to settle the issue. Authorities recorded the meeting and the men were arrested.
-http://www.theregister.co.uk/2013/12/19/casino_cyber_extortionists_jailed/
-http://www.bbc.co.uk/news/uk-england-manchester-25436558

Harvard University Student Charged in Bomb Threat Tries to Hide Identity With Tor (December 18, 2013)

Harvard University student Eldo Kim has been charged with emailing bomb threats to the school so he could avoid taking a final exam. Kim used the Tor anonymity system in an attempt to hide his identity. Investigators were able to determine that Kim had used the Tor network through Harvard's wireless network prior to the threats.
-http://arstechnica.com/security/2013/12/use-of-tor-helped-fbi-finger-bomb-hoax-s
uspect/
-http://www.nbcnews.com/technology/failing-grade-alleged-harvard-bomb-hoaxer-need
ed-more-tor-cover-2D11767028
-http://www.theregister.co.uk/2013/12/18/harvard_bomb_hoax_charge/
-http://www.justice.gov/usao/ma/news/2013/December/KimEldochargePR.html
-http://www.wbur.org/2013/12/18/pdf-criminal-complaint-harvard-bomb-threat
[Editor's Note (Honan): Very often those wishing to hide their activity online fail to understand that it takes more than Tor to do so. Maintaining complete anonymity requires well-honed technical and operational security skills. ]

Steep Fine for Swedish Filesharer (December 18, 2013)

A Swedish court has fined a man 4.3 million krona (US $652,000) for uploading a single film to a torrent-sharing website. He was also given a suspended jail sentence and 160 hours of community service for uploading more than 500 other films. The studio that owns the rights to the first film had calculated what it considered to be its financial loss because the film was shared online.
-http://www.bbc.co.uk/news/technology-25429237

Report Proposes Vulnerability Purchase Plan (December 17 & 18, 2013)

A research company has proposed an initiative that urges vendors to purchase vulnerabilities. Currently, a vulnerability on the open market is just as likely to wind up in the hands of individuals with malicious intent as in the possession of an entity that could take steps to protect users from attacks. The International Vulnerability Purchase Program report proposes "the systematic purchase of all vulnerabilities discovered at or above black market prices."
-http://www.scmagazine.com/researchers-propose-international-vulnerability-purcha
se-plan/article/326287/
-http://krebsonsecurity.com/2013/12/the-case-for-a-compulsory-bug-bounty/
Report:
-https://www.nsslabs.com/reports/ivpp

---

PESCATORE'S FIRST LOOK: DATACARD ACQUIRES ENTRUST

-http://www.datacard.com/datacard-news/datacard-group-announces-agreement-to-acqu
ire-entrust-inc
Pescatore: Entrust was one of the early innovators during the PKI boom of the late 1990s, but a standalone market for PKI did not emerge and Entrust was acquired in 2009 by investment firm Thoma Bravo for $114M, at just a 1.2x multiple over that year's revenue. After growing Entrust's revenues just over 10% per year, Thoma Bravo's $500M selling price is a 4x multiple over Entrust's predicted 2013 revenue. Datacard hopes to leverage synergies between their identity card business and Entrust's PKI capabilities but most of the progress in strong authentication has involved mobile devices and not separate identity tokens that require readers.

---

STORM CENTER TECH CORNER

Passive vulnerability scanning
-https://isc.sans.edu/diary/Passive+Scanning+Two+Ways+-+How-Tos+for+the+Holidays/
17246

Analysis of PHP.net Malware Domain Generation Algorithm
-http://www.seculert.com/blog/2013/12/dga-changer-malware-changing-seed-to-evade-
sandbox.html

Apple Releases Security Update to Safari
-http://support.apple.com/kb/HT6082

Wireshark 1.10.4 Released, fixes DoS Vulnerabilities
-https://isc.sans.edu/forums/diary/Wireshark+1+10+4+and+1+8+12+are+available/1723
7

Android Malware uses Interesting Social Engineering Tricks
-http://www.fireeye.com/blog/technical/botnet-activities-research/2013/12/misosms
.html

Malicious Firefox Plugin Used to Scan for SQL Injection Vulnerabilities
-http://krebsonsecurity.com/2013/12/botnet-enlists-firefox-users-to-hack-web-site
s/

Passive Vulnerability Scanning with p0f and PVS
-https://isc.sans.edu/diary.html?storyid=17246

"Left over" authorized_keys files used to gain access to removed accounts
-https://isc.sans.edu/forums/diary/authorized+key+lime+pie/17255

Stolen Developer Keys more Frequently Used to Sign Malware
-http://blogs.technet.com/b/mmpc/archive/2013/12/15/be-a-real-security-pro-keep-y
our-private-keys-private.aspx

OpenX Ad Server SQL Injection 0-day Vulnerability Actively Exploited
-http://www.kreativrauschen.com/blog/2013/12/18/zero-day-vulnerability-in-openx-s
ource-2-8-11-and-revive-adserver-3-0-1/

---

************************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry recently retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response. He is now president of CrowdStrike Services.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course..

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is a Senior Security Consultant and Malware Analyst for InGuardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/